8f461d836a5540a2c43018397ccea692206512053f77ca03ea6daf48484210e7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Size

372KB
MD5

ce09de74a24ae5891ffdaf2b69c0b5d1
SHA1

dba92e1d8f7c659907c6bfa5626dc7c07be54a36
SHA256

8f461d836a5540a2c43018397ccea692206512053f77ca03ea6daf48484210e7
SHA512

829308d90942e0c266f0894f92eaf609d99c73c4c498bd6d675bf530e6e1e015dc4f70c66c3542059802a5af2fa2d401ab0d4925766cd541afe1578745125d5f
SSDEEP

3072:CEGh0oXlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe{AD397681-EF0E-439c-8A5C-7942FE835076}.exe{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe{937453AF-C144-4284-89FB-108B8C95F3FB}.exe{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62024203-7C9A-4ea8-B9D0-A67F35F12170}\stubpath = "C:\\Windows\\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe"	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}\stubpath = "C:\\Windows\\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe"	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}\stubpath = "C:\\Windows\\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe"	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937453AF-C144-4284-89FB-108B8C95F3FB}\stubpath = "C:\\Windows\\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe"	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D79C3D90-4810-4afb-915E-3E0AB7149993}\stubpath = "C:\\Windows\\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe"	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}\stubpath = "C:\\Windows\\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe"	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB81FDA-A863-4f30-9893-60CA8DC40770}	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB81FDA-A863-4f30-9893-60CA8DC40770}\stubpath = "C:\\Windows\\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe"	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F368AB53-23DC-4495-B599-F5B0A07F1442}\stubpath = "C:\\Windows\\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe"	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937453AF-C144-4284-89FB-108B8C95F3FB}	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD397681-EF0E-439c-8A5C-7942FE835076}\stubpath = "C:\\Windows\\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe"	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}\stubpath = "C:\\Windows\\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe"	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27F7A5F-07DD-4342-8221-365BEA397E1C}	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27F7A5F-07DD-4342-8221-365BEA397E1C}\stubpath = "C:\\Windows\\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe"	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F368AB53-23DC-4495-B599-F5B0A07F1442}	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0918B047-F01F-420d-A7F5-188BA003CCA1}\stubpath = "C:\\Windows\\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe"	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62024203-7C9A-4ea8-B9D0-A67F35F12170}	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD397681-EF0E-439c-8A5C-7942FE835076}	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D79C3D90-4810-4afb-915E-3E0AB7149993}	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0918B047-F01F-420d-A7F5-188BA003CCA1}	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe

Executes dropped EXE 12 IoCs

Processes:

{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe{937453AF-C144-4284-89FB-108B8C95F3FB}.exe{AD397681-EF0E-439c-8A5C-7942FE835076}.exe{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe

pid	process
4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
4760	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
1412	{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe

Drops file in Windows directory 12 IoCs

Processes:

{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe{937453AF-C144-4284-89FB-108B8C95F3FB}.exe{AD397681-EF0E-439c-8A5C-7942FE835076}.exe{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe

description	ioc	process
File created	C:\Windows\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
File created	C:\Windows\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
File created	C:\Windows\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
File created	C:\Windows\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
File created	C:\Windows\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
File created	C:\Windows\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
File created	C:\Windows\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
File created	C:\Windows\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
File created	C:\Windows\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
File created	C:\Windows\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
File created	C:\Windows\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
File created	C:\Windows\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe{937453AF-C144-4284-89FB-108B8C95F3FB}.exe{AD397681-EF0E-439c-8A5C-7942FE835076}.exe{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
Token: SeIncBasePriorityPrivilege	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
Token: SeIncBasePriorityPrivilege	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
Token: SeIncBasePriorityPrivilege	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
Token: SeIncBasePriorityPrivilege	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
Token: SeIncBasePriorityPrivilege	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
Token: SeIncBasePriorityPrivilege	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
Token: SeIncBasePriorityPrivilege	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
Token: SeIncBasePriorityPrivilege	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
Token: SeIncBasePriorityPrivilege	4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
Token: SeIncBasePriorityPrivilege	4760	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1184 wrote to memory of 4152	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
PID 1184 wrote to memory of 4152	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
PID 1184 wrote to memory of 4152	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
PID 1184 wrote to memory of 4656	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 1184 wrote to memory of 4656	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 1184 wrote to memory of 4656	1184	2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe	cmd.exe
PID 4152 wrote to memory of 4036	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
PID 4152 wrote to memory of 4036	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
PID 4152 wrote to memory of 4036	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
PID 4152 wrote to memory of 4660	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	cmd.exe
PID 4152 wrote to memory of 4660	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	cmd.exe
PID 4152 wrote to memory of 4660	4152	{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe	cmd.exe
PID 4036 wrote to memory of 400	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
PID 4036 wrote to memory of 400	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
PID 4036 wrote to memory of 400	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
PID 4036 wrote to memory of 2380	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	cmd.exe
PID 4036 wrote to memory of 2380	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	cmd.exe
PID 4036 wrote to memory of 2380	4036	{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe	cmd.exe
PID 400 wrote to memory of 4740	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
PID 400 wrote to memory of 4740	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
PID 400 wrote to memory of 4740	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
PID 400 wrote to memory of 3276	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	cmd.exe
PID 400 wrote to memory of 3276	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	cmd.exe
PID 400 wrote to memory of 3276	400	{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe	cmd.exe
PID 4740 wrote to memory of 3296	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
PID 4740 wrote to memory of 3296	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
PID 4740 wrote to memory of 3296	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
PID 4740 wrote to memory of 3980	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	cmd.exe
PID 4740 wrote to memory of 3980	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	cmd.exe
PID 4740 wrote to memory of 3980	4740	{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe	cmd.exe
PID 3296 wrote to memory of 2204	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
PID 3296 wrote to memory of 2204	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
PID 3296 wrote to memory of 2204	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
PID 3296 wrote to memory of 2132	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	cmd.exe
PID 3296 wrote to memory of 2132	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	cmd.exe
PID 3296 wrote to memory of 2132	3296	{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe	cmd.exe
PID 2204 wrote to memory of 1928	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
PID 2204 wrote to memory of 1928	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
PID 2204 wrote to memory of 1928	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
PID 2204 wrote to memory of 2372	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	cmd.exe
PID 2204 wrote to memory of 2372	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	cmd.exe
PID 2204 wrote to memory of 2372	2204	{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe	cmd.exe
PID 1928 wrote to memory of 4268	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
PID 1928 wrote to memory of 4268	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
PID 1928 wrote to memory of 4268	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
PID 1928 wrote to memory of 876	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	cmd.exe
PID 1928 wrote to memory of 876	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	cmd.exe
PID 1928 wrote to memory of 876	1928	{937453AF-C144-4284-89FB-108B8C95F3FB}.exe	cmd.exe
PID 4268 wrote to memory of 3244	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
PID 4268 wrote to memory of 3244	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
PID 4268 wrote to memory of 3244	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
PID 4268 wrote to memory of 4368	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	cmd.exe
PID 4268 wrote to memory of 4368	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	cmd.exe
PID 4268 wrote to memory of 4368	4268	{AD397681-EF0E-439c-8A5C-7942FE835076}.exe	cmd.exe
PID 3244 wrote to memory of 4140	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
PID 3244 wrote to memory of 4140	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
PID 3244 wrote to memory of 4140	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
PID 3244 wrote to memory of 1376	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	cmd.exe
PID 3244 wrote to memory of 1376	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	cmd.exe
PID 3244 wrote to memory of 1376	3244	{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe	cmd.exe
PID 4140 wrote to memory of 4760	4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
PID 4140 wrote to memory of 4760	4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
PID 4140 wrote to memory of 4760	4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
PID 4140 wrote to memory of 1984	4140	{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_ce09de74a24ae5891ffdaf2b69c0b5d1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
C:\Windows\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
C:\Windows\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9DE~1.EXE > nul
4⤵
PID:2380

C:\Windows\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
C:\Windows\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
C:\Windows\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
C:\Windows\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
C:\Windows\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
C:\Windows\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
C:\Windows\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
C:\Windows\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
C:\Windows\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
C:\Windows\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe
C:\Windows\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe
13⤵
- Executes dropped EXE
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0918B~1.EXE > nul
13⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6EBA~1.EXE > nul
12⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D79C3~1.EXE > nul
11⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD397~1.EXE > nul
10⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{93745~1.EXE > nul
9⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F368A~1.EXE > nul
8⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B27F7~1.EXE > nul
7⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB81~1.EXE > nul
6⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B207D~1.EXE > nul
5⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04687~1.EXE > nul
3⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04687E54-7EBD-4a32-9A3D-2B6641EF1799}.exe

Filesize
372KB

MD5
0c72e1d20e4ec4b4ef4bd7ff4ab73c07

SHA1
17778a3e6d0611714c95f8627d5861a297cbf82e

SHA256
1a9702db01e41b170660aa32362d223bc137e7405270436b1532b16cf13679c4

SHA512
4aa7e31a576e70b11dcad78ac5ad31cfbdfd68132e200799a360546c32a4d20f5ae96e89d33ec9ef851f374a2e39058603cc044b082195a3ad0297d886e9ce58

Download Submit
C:\Windows\{0918B047-F01F-420d-A7F5-188BA003CCA1}.exe

Filesize
372KB

MD5
8953b78be4526c4ef97e9a016129df67

SHA1
0f76bb1b9d7f99eb2368da22ba0c693b61892bc4

SHA256
dec43d0651589eaf2d21ea4492c68889ed6b9890a39ec752d0625a3b61dff98c

SHA512
ad7562e99d8f94b91682fab1853eeaacb4a756c1113c628e25e67c4efe75334cb052939777832ad9bcb9b1a219ffd7f15fd761f7e8ccf832f241155dc6b67a2e

Download Submit
C:\Windows\{62024203-7C9A-4ea8-B9D0-A67F35F12170}.exe

Filesize
372KB

MD5
55e8e9cd84788c61c53eccf67997ec3b

SHA1
e8e803074d0109b3c3660965e77948c77ebcd4ae

SHA256
38578dc26d99bb4546b41e5b0d18aab46d18577bdd03075fab5aaabbd91ed30f

SHA512
eff5eeba628614df0e953268afa7d671156e0f92ec5b9d7928cd6936bcabc6f62642c2deae3f23817d11acfd607aeef04d884123298f3a0963b266ee4d81a91a

Download Submit
C:\Windows\{8AB81FDA-A863-4f30-9893-60CA8DC40770}.exe

Filesize
372KB

MD5
6ac7ad01273ec0a246679868dc8a021a

SHA1
5c1965cf3cbca9e3524e5429689939bd3c7bde9f

SHA256
b298231b45a875a0a4220b133535c31463d3f6b25efbf68ca9ef44fa86bdb952

SHA512
c6297640e688a6f6907434604a2a6e5a12aef3fd90c613314942768777f1e8727a8e16b4697907f197383b8c0fb76f1add8ee07882c88bf45b265b77e3b3e0bd

Download Submit
C:\Windows\{937453AF-C144-4284-89FB-108B8C95F3FB}.exe

Filesize
372KB

MD5
aeb7e5c89ac87a3990c24f3b84dc1f16

SHA1
ba81b096ca7c9a53f1be51801a4803ab1eff05e5

SHA256
2bc60973f083439406948e267cd8bb40e2a26be081b90246bbb2b8586511cef5

SHA512
c1654e83c0c14454c6a70566bbad1020448675b1aa71bae0fe08d21a2492c9245497c5ff63584a79b1c2dc8ca3f1ba8527559fae632daba79c11e659e862663c

Download Submit
C:\Windows\{A6EBA3E8-4FAB-4867-B53D-ADD2AD46B493}.exe

Filesize
372KB

MD5
dc238d0f8ca701a7f54b731360a534fa

SHA1
bd26bd8626025d1bbcf6afbbd22455be7678c58e

SHA256
d8f0d01978072f71cef95b39bac627f82e6b8946329814e2c00a090a2898de18

SHA512
73420a7a406bdcf7502915fe0ab3e4a0086303e06f2d0148148b81bf82a87250efa91d7b0e8d382692a154aa32d6af77027a556516df319c07a70a5185eb484e

Download Submit
C:\Windows\{AD397681-EF0E-439c-8A5C-7942FE835076}.exe

Filesize
372KB

MD5
0f41429610d90388a2d4ba1e96f71a3c

SHA1
58b30f988ead08b2b2512640c1f96b088c0cb9e5

SHA256
7a5d9cf093968f30d18842d62021c06ab28b5d0471de09fc15a83cbfbde33ea1

SHA512
0783b08607c6231668d76f50346bab855223d92342a42f8118e5c06dbe28ed41ed9c982f6ad45aa8ed436386ffb90cb5e737e47445ab1f0be29f62d3453dbf82

Download Submit
C:\Windows\{B207D69D-FA72-4bb4-8D25-112D5DB73A23}.exe

Filesize
372KB

MD5
10ba2c407efb5f79e9b6607b9801d048

SHA1
772a00afcc0edd8fc8f2220eec54ca52628bfe5d

SHA256
6945706cac43c49442b51af70df332c7008b7f677aefc8b15f93ff0b48333abc

SHA512
2bc7f5b0ac6ff076ee263d0978e40bd3ce8216226cc5ec2dfaab9ca992731e18cd5ca1c41eeb107d5e38750688b3b9b7925e569756f441b81df9e76c5286b5b4

Download Submit
C:\Windows\{B27F7A5F-07DD-4342-8221-365BEA397E1C}.exe

Filesize
372KB

MD5
4bbb1a18934c5bf5222ff20900ef0849

SHA1
be81c7f49bc45fe2ad796d8b93ac1c0c229a50ef

SHA256
bb333ccbd11f0cb663988ab4a3caf7ef926eea67107c023b7ec7cc8efeb5f68e

SHA512
c8022189c44b26f65fd60c681bdf070424e66e8ca925ba4ae592e166f4fe40d8331ddc8762e2d7016fb2deff35480127b60a5f5d0133775ad60ce1160d738df7

Download Submit
C:\Windows\{D79C3D90-4810-4afb-915E-3E0AB7149993}.exe

Filesize
372KB

MD5
1430bac2d77b092872748487339b7918

SHA1
447d0430d9f303f6ea4963488d5be50ba0af6337

SHA256
0e4956a0cad33cd79d31ad58935b8b76656e8d4d959d7f9d3e5bd4d1e342c30e

SHA512
93926d9dcb46be260b6d6df811bee680c49ff0a329dbb3dfd7e3492c4c1b8036311a6dba29a14f7af09810c2ff8e9a2c575b6b3ffde4cc18e595117e8108b92c

Download Submit
C:\Windows\{DD9DEBF1-622B-40cb-81D0-FC5A7BA84606}.exe

Filesize
372KB

MD5
4632beefc3e6f60ed5817bf208f6937c

SHA1
3a96a1f195b3220de26cc3e015983b7980f42cbf

SHA256
92962211e8fa774e458539e0f8d6ac048c1c3b282f15086b87452ee4dccc5e26

SHA512
1e0e795621b88c58649bd89d99ecc85dbd70a169e89c943454322aa1f54c94db6e0b59dfc6caa1dc39ff617046e8c873f4928431964380c2868fe3d5a1b136bc

Download Submit
C:\Windows\{F368AB53-23DC-4495-B599-F5B0A07F1442}.exe

Filesize
372KB

MD5
8d01a7b620b0020bcfc3667f824fd098

SHA1
f5d47892d27a9f72a75b46fd852a973f1c1ac981

SHA256
0123ea592ce66fb5759a70e829839a19902e5b27789c89cb3f38636e5ab25f53

SHA512
19ce3773a7507615bc15c78dbd9e34920402f3e42a5a8d2dc47b2f9f80ba45a55d58aba33f6249503273419c0a52fcdf445b167ca451a5257c1b732f57a436ff

Download Submit